Self-Defense to Cyber Force: Combatting the Notion of ‘Scale and Effect'
Total Page:16
File Type:pdf, Size:1020Kb
American University International Law Review Volume 36 Issue 4 Article 1 2021 Self-Defense to Cyber Force: Combatting the Notion of ‘Scale And Effect' Thomas Eaton Follow this and additional works at: https://digitalcommons.wcl.american.edu/auilr Part of the Internet Law Commons Recommended Citation Eaton, Thomas (2021) "Self-Defense to Cyber Force: Combatting the Notion of ‘Scale And Effect'," American University International Law Review: Vol. 36 : Iss. 4 , Article 1. Available at: https://digitalcommons.wcl.american.edu/auilr/vol36/iss4/1 This Article is brought to you for free and open access by the Washington College of Law Journals & Law Reviews at Digital Commons @ American University Washington College of Law. It has been accepted for inclusion in American University International Law Review by an authorized editor of Digital Commons @ American University Washington College of Law. For more information, please contact [email protected]. SELF-DEFENSE TO CYBER FORCE: COMBATTING THE NOTION OF ‘SCALE AND EFFECT’ THOMAS EATON* I. INTRODUCTION.............................................................697 II. WHY THIS QUESTION IS IMPORTANT......................702 III. STARTING WITH THE TEXT........................................704 IV. CHARTER-IS-DEAD SCHOOL ......................................706 V. SCALE AND EFFECTS SCHOOL ..................................710 VI. PROBLEMS WITH SCALE AND EFFECTS SCHOOL.715 A. PREDICTIVE PROBLEMS..................................................717 B. DESCRIPTIVE PROBLEMS................................................719 i. Problems with Scale and Effects, as conceived........720 ii. Problems with Scale and Effects, as applied...........727 VII. HOW TO BETTER THINK ABOUT SCALE AND EFFECTS OF CYBER OPERATIONS. ...........................730 VIII. PRESCRIPTIVE PROBLEMS....................................742 IX. FORCEFUL COUNTERMEASURES SCHOOL ............745 X. NO GAP SCHOOL ...........................................................754 XI. CONCLUSION .................................................................768 I. INTRODUCTION In early December, it was announced that United States (U.S.) companies SolarWind and FireEye were the victims of a widespread * The author is a Judge Advocate in the United States Navy. The views expressed in this writing are the author’s alone and do not represent the views of the Department of the Navy or the United States Government. The author would like to thank Breawna Power Eaton, for reading numerous drafts, providing excellent feedback, and always being his best editor—both professionally and personally. The author would also like to thank the Editorial Staff at the American University International Law Review for vastly improving this writing, and importantly the faculty of The Fletcher School, particularly, Professors Tom Dannenbaum and Michael Glennon. 697 698 AM. U. INT’L L. REV. [36:4 and pervasive cyber-attack that possibly affected tens of thousands of government computers. “[T]he magnitude of this ongoing attack is hard to overstate.”1 While the attack remains under investigation at the time of this writing, “[e]vidence in the SolarWinds attack points to the Russian intelligence agency known as the S.V.R., whose tradecraft is among the most advanced in the world.”2 What will happen next, with regard to both how the U.S. will respond and what they can and will do to prevent future attacks, remains uncertain. A major reason for this uncertainty is that the entire spectrum of cyber warfare challenges the paradigm of how “war” has been traditionally defined. The right to self-defense is present in almost all legal systems, both between persons and between states. Between nations, the debate over what level of force justifies a lawful use of force in response, purportedly laid out in the United Nations Charter, began even before the Charter was signed. Defining force in the cyber domain poses new challenges, yet this unique, quickly evolving facet of warfare has simply been pasted on top of the older, unresolved debate. It would be overly ambitious to attempt to resolve fundamental, long-debated disagreements about how to read the language of Arts. 2(4) and 51. However, the analysis applied by the majority view – looking at the “scale and effect” of cyber operations, as in Tallinn Manual 2.0 – is unrealistic, unworkable, and undesirable. The challenge of defining force in the cyber domain remains; however, descriptively, predictively, and proscriptively, states are justified in responding to any force with counterforce in self-defense, proportionality acts as the throttle to self-defense, rather than the unreasonably high standard of “scale and effect.” The ability to reach out, with a few keystrokes or a couple lines of code, through the interconnected world of cyberspace and create militarily advantageous effects 10,000 miles away has changed warfare as previously conceived, perhaps more than any other 1. Thomas P. Bossert, Opinion, I Was the Homeland Security Adviser to Trump. We’re Being Hacked, N.Y. TIMES (Dec. 16, 2020), https://www.nytimes.com/2020/12/16/opinion/fireeye-solarwinds-russia- hack.html. 2. Id. 2021] SELF-DEFENSE TO CYBER FORCE 699 advancement in any other domain of war. Cyber weapons are weapons, and whatever law applies to conventional weapons equally applies to cyber weapons.3 Long before cyber operations were even science fiction, there was much debate over what constituted a use of force that would justify force in response. In many ways, the debate over what constitutes cyber-attacks has been pasted on top of that older debate, but the unique form of harm that cyber-attacks cause adds novel questions to these older debates. Lacking a physical instrument, yet possessing the potential to cause greater harm, cyber-attacks seem simultaneously less and more “forceful.” How one views that dichotomy, coupled with how they generally view the Charter regarding conventional force, has led to varying answers to the salient question: what is the threshold of cyber force required to justify the use of counterforce in self-defense? When something breaks on the receiving end of a cyber-attack— when people die, when fires erupt, when opened dams destroy villages—few seem to disagree4 the act would be a “use of force,” likely rising to the level of an “armed attack” that would justify lawful force in “self-dense” in response, regardless how one regards the text of Article 51 of the United Nations (UN) Charter.5 The far more complicated question is: what happens when nothing “physical” breaks? When only data is destroyed, when government email stops working, when banking systems fail, when stock markets crash, but no one is injured, no property is destroyed? A cyber-attack is not “a monolithic technique . there are many methods by which computer networks have been, or could be, attacked.”6 Each attack must be analyzed individually. However, the most widely accepted view, as advanced in the Tallinn Manual 2.0, 3. See Daniel B. Silver, Computer Network Attack as a Use of Force under Article 2(4) of the United Nations Charter, 76 INT’L L. STUD. SERIES U.S. NAVAL WAR COLL. 73, 76 (2002) (noting that using a weapon to target a computer raises the same questions under international law as would the targeting of any other piece of equipment). 4. See TALLINN MANUAL 2.0 ON THE INTERNATIONAL LAW APPLICABLE TO CYBER OPERATIONS 341 (Michael N. Schmitt ed., 2nd ed. 2017) [hereinafter TALLINN MANUAL 2.0]. 5. See U.N. Charter arts. 2, ¶ 4, 51. 6. Silver, supra note 3, at 76 (proceeding to discuss various means of cyber- attacks). 700 AM. U. INT’L L. REV. [36:4 looks to the “scale and effects”7 test adopted from the International Court of Justice’s (ICJ) judgment in the Military and Paramilitary Activities in and Against Nicaragua 8 This classic analysis is reasonable at first glance, if one accepts a textual reading of the UN Charter, even with limited modification based on subsequent state practice and judicial decisions, as did the authors of the Manual (the self-proclaimed International Group of Experts (IGEs)).9 Others have argued that state practice has irretrievably broken the language of the Charter, asserting that even engaging in a discussion over how to interpret the terms “armed attack” in differentiation of “use of force” is meaningless—states will do what states do.10 Various framings and weights given to the varying sources of authority of how to interpret the language of the Charter, subsequent state practice, and judicial decisions place the starting point of this analysis in vastly different locations. Sean Murphy offers “Four Schools of Thought” on how to interpret the UN Charter on the question of preemptive self-defense.11 His Schools on that question are: “‘The Strict-Constructionist School,’ ‘The Imminent Threat School,’ ‘The Qualitative Threat,’ and ‘The ‘Charter-Is-Dead’ School.’”12 7. See TALLINN MANUAL 2.0, supra note 4, at 330–31 (referring to “scale and effects” as “a shorthand term that captures the quantitative and qualitative factors to be analyzed in determining whether a cyber operation amounts to the use of force”). 8. See Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.), Judgment, 1986 I.C.J. 14, ¶ 195 (June 27). 9. See TALLINN MANUAL 2.0, supra note 4. 10. See, e.g., Michael J. Glennon, What’s Law Got to Do with It?, 26 WILSON Q. 70, 75 (2002) (arguing that states act alone when acting multilaterally is not in their best interest); Thomas M. Franck, Who Killed Article 2(4)? Or: Changing Norms Governing the Use of Force by States, 64 AM. J. INT’L. L. 809, 809 (1970) (acknowledging that historically, states have sometimes “succumbed to the temptation to settle a score, to end a dispute or to pursue their national interest through the use of force”). But see W. Michael Reisman, Thomas Franck and the Use of Force, 104 AM. SOC’Y INT’L L. PROC. 403, 406 (2010) (highlighting the United Nations’ major contribution of prohibiting war as individual state policy, instead replacing it with a collective security system). 11.